Project

General

Profile

Actions

Bug #6256

closed

eve: crash if output dir isn't writeable

Added by Victor Julien over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

root@c2758:/etc/suricata# /home/victor/dev/suricata/src/suricata -c ids-tun-mt.yaml -v -T --pcap
Notice: suricata: This is Suricata version 7.0.1-dev (4fd3205bf 2023-08-03) running in SYSTEM mode [LogVersion:suricata.c:1156]
Info: cpu: CPUs/cores online: 4 [UtilCpuPrintSummary:util-cpu.c:182]
Info: suricata: Running suricata under test mode [SuricataMain:suricata.c:2959]
Info: suricata: Setting engine mode to IDS mode by default [PostConfLoadedSetup:suricata.c:2701]
Info: log-pcap: pcap-log profiling enabled [PcapLogProfileSetup:log-pcap.c:2016]
Info: log-pcap: pcap-log profiling output goes to /var/log/suricata-ids-tun//pcaplog_stats.log (mode w) [PcapLogProfileSetup:log-pcap.c:2038]
Info: privs: dropped the caps for main thread [SCDropMainThreadCaps:util-privs.c:93]
Error: logopenfile: Error opening file: "/var/log/suricata-ids-tun//eve.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:426]
=================================================================
==42045==ERROR: AddressSanitizer: attempting double-free on 0x6020002774f0 in thread T0 (Suricata-Main):
    #0 0x7f181971f40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x55dc75ec9e3e in LogFileFreeCtx /home/victor/dev/suricata/src/util-logopenfile.c:899
    #2 0x55dc75da7395 in OutputJsonInitCtx /home/victor/dev/suricata/src/output-json.c:1212
    #3 0x55dc75dfd067 in RunModeInitializeOutputs /home/victor/dev/suricata/src/runmodes.c:863
    #4 0x55dc75b01392 in PreRunPostPrivsDropInit /home/victor/dev/suricata/src/suricata.c:2259
    #5 0x55dc75b0426a in SuricataMain /home/victor/dev/suricata/src/suricata.c:2978
    #6 0x55dc75af587c in main /home/victor/dev/suricata/src/main.c:22
    #7 0x7f18182ab082 in __libc_start_main ../csu/libc-start.c:308
    #8 0x55dc75af579d in _start (/home/victor/dev/suricata/src/suricata+0x2ca79d)

0x6020002774f0 is located 0 bytes inside of 9-byte region [0x6020002774f0,0x6020002774f9)
freed by thread T0 (Suricata-Main) here:
    #0 0x7f181971f40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x55dc75da735d in OutputJsonInitCtx /home/victor/dev/suricata/src/output-json.c:1210
    #2 0x55dc75dfd067 in RunModeInitializeOutputs /home/victor/dev/suricata/src/runmodes.c:863
    #3 0x55dc75b01392 in PreRunPostPrivsDropInit /home/victor/dev/suricata/src/suricata.c:2259
    #4 0x55dc75b0426a in SuricataMain /home/victor/dev/suricata/src/suricata.c:2978
    #5 0x55dc75af587c in main /home/victor/dev/suricata/src/main.c:22
    #6 0x7f18182ab082 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 (Suricata-Main) here:
    #0 0x7f18196a83ed in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cc:445
    #1 0x55dc75b34b59 in SCStrdupFunc /home/victor/dev/suricata/src/util-mem.c:74
    #2 0x55dc75da64a5 in OutputJsonInitCtx /home/victor/dev/suricata/src/output-json.c:1075
    #3 0x55dc75dfd067 in RunModeInitializeOutputs /home/victor/dev/suricata/src/runmodes.c:863
    #4 0x55dc75b01392 in PreRunPostPrivsDropInit /home/victor/dev/suricata/src/suricata.c:2259
    #5 0x55dc75b0426a in SuricataMain /home/victor/dev/suricata/src/suricata.c:2978
    #6 0x55dc75af587c in main /home/victor/dev/suricata/src/main.c:22
    #7 0x7f18182ab082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 in __interceptor_free
==42045==ABORTING
Actions #1

Updated by Jason Ish over 1 year ago

Multi-tenant specific issue?

Actions #2

Updated by Victor Julien over 1 year ago

No. Getting the same for non-MT.

Actions #3

Updated by Victor Julien over 1 year ago

Info: privs: dropped the caps for main thread [SCDropMainThreadCaps:util-privs.c:93]
Info: conf: Running in live mode, activating unix socket [ConfUnixSocketIsEnable:util-conf.c:163]
Error: logopenfile: Error opening file: "/var/log/suricata-root/eve.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:426]
=================================================================
==70788==ERROR: AddressSanitizer: attempting double-free on 0x6020002794f0 in thread T0 (Suricata-Main):

Clear that it is dropping privs, then opening the logfile. Dir is root owned.
Actions #4

Updated by Jason Ish over 1 year ago

Similar setup here, `default-log-dir` set to `/root`, otherwise default config:

Notice: suricata: This is Suricata version 7.0.1-dev (2786ccb086 2023-08-04) running in SYSTEM mode [LogVersion:suricata.c:1153]
Info: cpu: CPUs/cores online: 20 [UtilCpuPrintSummary:util-cpu.c:182]
Info: suricata: Running suricata under test mode [SuricataMain:suricata.c:2955]
Info: suricata: Setting engine mode to IDS mode by default [PostConfLoadedSetup:suricata.c:2698]
Info: exception-policy: master exception-policy set to: auto [ExceptionPolicyMasterParse:util-exception-policy.c:200]
Info: privs: dropped the caps for main thread [SCDropMainThreadCaps:util-privs.c:93]
Error: logopenfile: Error opening file: "/root/eve.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:426]
Error: runmodes: output module "eve-log": setup failed [RunModeInitializeOutputs:runmodes.c:865]
Actions #5

Updated by Jason Ish over 1 year ago

Update: sensor-name must also be set to a value.

Actions #6

Updated by Victor Julien over 1 year ago

  • Assignee changed from OISF Dev to Jason Ish
Actions #7

Updated by Jason Ish over 1 year ago

  • Status changed from New to Assigned
Actions #8

Updated by Jason Ish over 1 year ago

  • Status changed from Assigned to In Review
Actions #9

Updated by Jason Ish over 1 year ago

  • Status changed from In Review to Closed

Merged.

Actions

Also available in: Atom PDF